jwe 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 05c87a9be4e5864d4f31495bd609ff3d4abf1a68
-  data.tar.gz: dc5edbbac44a91be23673da3f5d0b2beb91a8245
+SHA256:
+  metadata.gz: a3be72771de62015739c8c0f4db8b6c39c082ed7a3870fb5dce44870418eb2f1
+  data.tar.gz: 65f2fc6f7c1ee46e6524b1e631f0858898348e3a67a2328f522ca449c9a9c0ae
 SHA512:
-  metadata.gz: a26d929b4124949bbac9137855a32b42a9ab9165c0025e405e924937e99c9222e88096a1d5e40c93360f4e491df4f43ebe80a4f6d9fe0bba8bc34b9d10a94d99
-  data.tar.gz: b3e9575add99b0ad449c083a3981d419aaeaf17748591f00e293fcb61e556257b2b371af2c13c7ce8f294cfe72ec39d0f5cac7d6f2b46dd2c2864045410962dc
+  metadata.gz: a12f84808b5911b81f4afbf2e3ad615abae6543ead869cf1fac1f27b4270158367312b0e5a05b09b3ebf38780344896fa20cb832c7257386cccf8b6d37bdce86
+  data.tar.gz: 4e76467052e21da130ed4b5cd2501d861f2011fc4b91600eb86715f32eee0182a2e65a2ea17f5ef35f38516821394ed925768cc66f6f620dcfa53deeb20ef8c1

data/.rubocop.yml

@@ -1,5 +1,9 @@
 Metrics/LineLength:
   Enabled: false
 Style/RaiseArgs:
-  EnforcedStyle: compact
-
+  Enabled: false
+Metrics/BlockLength:
+  Enabled: false
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    "%w": "[]"

data/.travis.yml

@@ -1,10 +1,14 @@
 language: ruby
+dist: trusty
 rvm:
-  - 2.0.0
-  - 2.1.0
-  - 2.2.0
-  - 2.3.0
-  - 2.4.0
-addons:
-  code_climate:
-    repo_token: b5653aee7f7a47c0d70a89feb535648aa06575497b1eab9e16068c49bf4462c3
+  - 2.0.0-p648
+  - 2.1.10
+  - 2.2.7
+  - 2.3.4
+  - 2.4.1
+
+after_script:
+  - bundle exec codeclimate-test-reporter
+
+env:
+  CODECLIMATE_REPO_TOKEN: d9854e6b60cf9cbd78bb8036da0a5c63d6178a14a19a8043752dc5fecec99831

data/Gemfile

@@ -1,4 +1,3 @@
-# encoding: utf-8
 source 'https://rubygems.org'
 
 gemspec

data/README.md

@@ -1,8 +1,8 @@
 # JWE
 
 [![Build Status](https://travis-ci.org/jwt/ruby-jwe.svg)](https://travis-ci.org/jwt/ruby-jwe)
-[![Code Climate](https://codeclimate.com/github/aomega08/jwe/badges/gpa.svg)](https://codeclimate.com/github/aomega08/jwe)
-[![Test Coverage](https://codeclimate.com/github/aomega08/jwe/badges/coverage.svg)](https://codeclimate.com/github/aomega08/jwe/coverage)
+[![Code Climate](https://codeclimate.com/github/jwt/ruby-jwe/badges/gpa.svg)](https://codeclimate.com/github/jwt/ruby-jwe)
+[![Test Coverage](https://codeclimate.com/github/jwt/ruby-jwe/badges/coverage.svg)](https://codeclimate.com/github/aomega08/jwe/coverage)
 
 A ruby implementation of the [RFC 7516 JSON Web Encryption (JWE)](https://tools.ietf.org/html/rfc7516) standard.
 
@@ -73,6 +73,20 @@ plaintext = JWE.decrypt(encrypted, key)
 puts plaintext #"The quick brown fox jumps over the lazy dog."
 ```
 
+This example sets an extra **plaintext** custom header.
+
+```ruby
+require 'jwe'
+
+key = OpenSSL::PKey::RSA.generate(2048)
+payload = "The quick brown fox jumps over the lazy dog."
+
+# In this case we add a copyright line to the headers (it can be anything you like
+# just remember it is plaintext).
+encrypted = JWE.encrypt(payload, key, copyright: 'This is my stuff! All rights reserved')
+puts encrypted
+```
+
 ## Available Algorithms
 
 The RFC 7518 JSON Web Algorithms (JWA) spec defines the algorithms for [encryption](https://tools.ietf.org/html/rfc7518#section-5.1)
@@ -131,4 +145,3 @@ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-

data/Rakefile

@@ -3,4 +3,5 @@ begin
   RSpec::Core::RakeTask.new(:spec)
   task default: :spec
 rescue LoadError
+  puts 'Where is RSpec?'
 end

data/jwe.gemspec

@@ -13,11 +13,12 @@ Gem::Specification.new do |s|
   s.license     = 'MIT'
 
   s.files = `git ls-files`.split("\n")
-  s.require_paths = %w(lib)
+  s.require_paths = %w[lib]
 
   s.required_ruby_version = '>= 2.0.0'
 
   s.add_development_dependency 'rspec'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'simplecov'
+  s.add_development_dependency 'codeclimate-test-reporter'
 end

data/lib/jwe.rb

@@ -9,6 +9,7 @@ require 'jwe/alg'
 require 'jwe/enc'
 require 'jwe/zip'
 
+# A ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard.
 module JWE
   class DecodeError < RuntimeError; end
   class NotImplementedError < RuntimeError; end
@@ -19,46 +20,80 @@ module JWE
   VALID_ENC = ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'].freeze
   VALID_ZIP = ['DEF'].freeze
 
-  def self.encrypt(payload, key, alg: 'RSA-OAEP', enc: 'A128GCM', zip: nil)
-    raise ArgumentError.new("\"#{alg}\" is not a valid alg method") unless VALID_ALG.include?(alg)
-    raise ArgumentError.new("\"#{enc}\" is not a valid enc method") unless VALID_ENC.include?(enc)
-    raise ArgumentError.new("\"#{zip}\" is not a valid zip method") unless zip.nil? || zip == '' || VALID_ZIP.include?(zip)
-    raise ArgumentError.new('The key must not be nil or blank') if key.nil? || (key.is_a?(String) && key.strip == '')
+  class << self
+    def encrypt(payload, key, alg: 'RSA-OAEP', enc: 'A128GCM', **more_headers)
+      header = generate_header(alg, enc, more_headers)
+      check_params(header, key)
 
-    header = { alg: alg, enc: enc }
-    header[:zip] = zip if zip && zip != ''
+      payload = apply_zip(header, payload, :compress)
 
-    cipher = Enc.for(enc).new
-    cipher.cek = key if alg == 'dir'
+      cipher = Enc.for(enc)
+      cipher.cek = key if alg == 'dir'
 
-    payload = Zip.for(zip).new.compress(payload) if zip && zip != ''
+      json_hdr = header.to_json
+      ciphertext = cipher.encrypt(payload, Base64.jwe_encode(json_hdr))
 
-    ciphertext = cipher.encrypt(payload, Base64.jwe_encode(header.to_json))
-    encrypted_cek = Alg.for(alg).new(key).encrypt(cipher.cek)
+      generate_serialization(json_hdr, Alg.encrypt_cek(alg, key, cipher.cek), ciphertext, cipher)
+    end
 
-    Serialization::Compact.encode(header.to_json, encrypted_cek, cipher.iv, ciphertext, cipher.tag)
-  end
+    def decrypt(payload, key)
+      header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
+      header = JSON.parse(header)
+      check_params(header, key)
+
+      cek = Alg.decrypt_cek(header['alg'], key, enc_key)
+      cipher = Enc.for(header['enc'], cek, iv, tag)
+
+      plaintext = cipher.decrypt(ciphertext, payload.split('.').first)
+
+      apply_zip(header, plaintext, :decompress)
+    end
+
+    def check_params(header, key)
+      check_alg(header[:alg] || header['alg'])
+      check_enc(header[:enc] || header['enc'])
+      check_zip(header[:zip] || header['zip'])
+      check_key(key)
+    end
+
+    def check_alg(alg)
+      raise ArgumentError.new("\"#{alg}\" is not a valid alg method") unless VALID_ALG.include?(alg)
+    end
 
-  def self.decrypt(payload, key)
-    header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
-    header = JSON.parse(header)
-    base64header = payload.split('.').first
+    def check_enc(enc)
+      raise ArgumentError.new("\"#{enc}\" is not a valid enc method") unless VALID_ENC.include?(enc)
+    end
 
-    raise ArgumentError.new("\"#{header['alg']}\" is not a valid alg method") unless VALID_ALG.include?(header['alg'])
-    raise ArgumentError.new("\"#{header['enc']}\" is not a valid enc method") unless VALID_ENC.include?(header['enc'])
-    raise ArgumentError.new("\"#{header['zip']}\" is not a valid zip method") unless header['zip'].nil? || VALID_ZIP.include?(header['zip'])
-    raise ArgumentError.new('The key must not be nil or blank') if key.nil? || (key.is_a?(String) && key.strip == '')
+    def check_zip(zip)
+      raise ArgumentError.new("\"#{zip}\" is not a valid zip method") unless zip.nil? || zip == '' || VALID_ZIP.include?(zip)
+    end
 
-    cek = Alg.for(header['alg']).new(key).decrypt(enc_key)
-    cipher = Enc.for(header['enc']).new(cek, iv)
-    cipher.tag = tag
+    def check_key(key)
+      raise ArgumentError.new('The key must not be nil or blank') if key.nil? || (key.is_a?(String) && key.strip == '')
+    end
 
-    plaintext = cipher.decrypt(ciphertext, base64header)
+    def param_to_class_name(param)
+      klass = param.gsub(/[-\+]/, '_').downcase.sub(/^[a-z\d]*/) { $&.capitalize }
+      klass.gsub(/_([a-z\d]*)/i) { Regexp.last_match(1).capitalize }
+    end
+
+    def apply_zip(header, data, direction)
+      zip = header[:zip] || header['zip']
+      if zip
+        Zip.for(zip).new.send(direction, data)
+      else
+        data
+      end
+    end
+
+    def generate_header(alg, enc, more)
+      header = { alg: alg, enc: enc }.merge(more)
+      header.delete(:zip) if header[:zip] == ''
+      header
+    end
 
-    if header['zip']
-      Zip.for(header['zip']).new.decompress(plaintext)
-    else
-      plaintext
+    def generate_serialization(hdr, cek, content, cipher)
+      Serialization::Compact.encode(hdr, cek, cipher.iv, content, cipher.tag)
     end
   end
 end

data/lib/jwe/alg.rb

@@ -1,17 +1,25 @@
 require 'jwe/alg/a128_kw'
+require 'jwe/alg/a192_kw'
+require 'jwe/alg/a256_kw'
 require 'jwe/alg/dir'
 require 'jwe/alg/rsa_oaep'
 require 'jwe/alg/rsa15'
 
 module JWE
+  # Key encryption algorithms namespace
   module Alg
     def self.for(alg)
-      klass = alg.gsub(/[-\+]/, '_').downcase.sub(/^[a-z\d]*/) { $&.capitalize }
-      klass.gsub!(/_([a-z\d]*)/i) { Regexp.last_match(1).capitalize }
-      const_get(klass)
-
+      const_get(JWE.param_to_class_name(alg))
     rescue NameError
       raise NotImplementedError.new("Unsupported alg type: #{alg}")
     end
+
+    def self.encrypt_cek(alg, key, cek)
+      self.for(alg).new(key).encrypt(cek)
+    end
+
+    def self.decrypt_cek(alg, key, encrypted_cek)
+      self.for(alg).new(key).decrypt(encrypted_cek)
+    end
   end
 end

data/lib/jwe/alg/a128_kw.rb

@@ -2,6 +2,7 @@ require 'jwe/alg/aes_kw'
 
 module JWE
   module Alg
+    # AES-128 Key Wrapping algorithm
     class A128Kw
       include AesKw
 

data/lib/jwe/alg/a192_kw.rb

@@ -2,6 +2,7 @@ require 'jwe/alg/aes_kw'
 
 module JWE
   module Alg
+    # AES-192 Key Wrapping algorithm
     class A192Kw
       include AesKw
 

data/lib/jwe/alg/a256_kw.rb

@@ -2,6 +2,7 @@ require 'jwe/alg/aes_kw'
 
 module JWE
   module Alg
+    # AES-256 Key Wrapping algorithm
     class A256Kw
       include AesKw
 

data/lib/jwe/alg/aes_kw.rb

@@ -1,5 +1,8 @@
+require 'jwe/enc/cipher'
+
 module JWE
   module Alg
+    # Generic AES Key Wrapping algorithm for any key size.
     module AesKw
       attr_accessor :key
       attr_accessor :iv
@@ -11,39 +14,33 @@ module JWE
 
       def encrypt(cek)
         a = iv
-        r = cek.scan(/.{8}/m)
+        r = cek.force_encoding('ASCII-8BIT').scan(/.{8}/m)
 
         6.times do |j|
-          r.length.times do |i|
-            b = encrypt_round(a + r[i])
-
-            a = b.chars.first(8).join
-            r[i] = b.chars.last(8).join
-
-            t = (r.length * j) + i + 1
-            a = xor(a, t)
-          end
+          a, r = kw_encrypt_round(j, a, r)
         end
 
         ([a] + r).join
       end
 
-      def decrypt(encrypted_cek)
-        c = encrypted_cek.scan(/.{8}/m)
-        a = c[0]
+      def kw_encrypt_round(j, a, r)
+        r.length.times do |i|
+          b = encrypt_round(a + r[i]).chars
 
-        r = c[1..c.length]
+          a, r[i] = a_ri(b)
 
-        5.downto(0) do |j|
-          r.length.downto(1) do |i|
-            t = (r.length * j) + i
-            a = xor(a, t)
+          a = xor(a, (r.length * j) + i + 1)
+        end
+
+        [a, r]
+      end
 
-            b = decrypt_round(a + r[i - 1])
+      def decrypt(encrypted_cek)
+        c = encrypted_cek.force_encoding('ASCII-8BIT').scan(/.{8}/m)
+        a, *r = c
 
-            a = b.chars.first(8).join
-            r[i - 1] = b.chars.last(8).join
-          end
+        5.downto(0) do |j|
+          a, r = kw_decrypt_round(j, a, r)
         end
 
         if a != iv
@@ -53,10 +50,24 @@ module JWE
         r.join
       end
 
+      def kw_decrypt_round(j, a, r)
+        r.length.downto(1) do |i|
+          a = xor(a, (r.length * j) + i)
+
+          b = decrypt_round(a + r[i - 1]).chars
+
+          a, r[i - 1] = a_ri(b)
+        end
+
+        [a, r]
+      end
+
+      def a_ri(b)
+        [b.first(8).join, b.last(8).join]
+      end
+
       def cipher
-        @cipher ||= OpenSSL::Cipher.new(cipher_name)
-      rescue RuntimeError
-        raise JWE::NotImplementedError.new("The version of OpenSSL linked to your Ruby does not support the cipher #{cipher_name}.")
+        @cipher ||= Enc::Cipher.for(cipher_name)
       end
 
       def encrypt_round(data)

data/lib/jwe/alg/dir.rb

@@ -1,5 +1,6 @@
 module JWE
   module Alg
+    # Direct (no-op) key encryption algorithm.
     class Dir
       attr_accessor :key
 

data/lib/jwe/alg/rsa15.rb

@@ -1,5 +1,6 @@
 module JWE
   module Alg
+    # RSA RSA with PKCS1 v1.5 algorithm.
     class Rsa15
       attr_accessor :key
 

data/lib/jwe/alg/rsa_oaep.rb

@@ -1,5 +1,6 @@
 module JWE
   module Alg
+    # RSA-OAEP key encryption algorithm.
     class RsaOaep
       attr_accessor :key
 

data/lib/jwe/base64.rb

@@ -1,4 +1,5 @@
 module JWE
+  # Base64 for JWE is slightly different from what ruby provides.
   module Base64
     def self.jwe_encode(payload)
       ::Base64.urlsafe_encode64(payload).delete('=')

data/lib/jwe/enc.rb

@@ -6,12 +6,13 @@ require 'jwe/enc/a192gcm'
 require 'jwe/enc/a256gcm'
 
 module JWE
+  # Content encryption algorithms namespace
   module Enc
-    def self.for(enc)
-      klass = enc.gsub(/[-\+]/, '_').downcase.sub(/^[a-z\d]*/) { $&.capitalize }
-      klass.gsub!(/_([a-z\d]*)/i) { Regexp.last_match(1).capitalize }
-      const_get(klass)
-
+    def self.for(enc, cek = nil, iv = nil, tag = nil)
+      klass = const_get(JWE.param_to_class_name(enc))
+      inst = klass.new(cek, iv)
+      inst.tag = tag if tag
+      inst
     rescue NameError
       raise NotImplementedError.new("Unsupported enc type: #{enc}")
     end

data/lib/jwe/enc/a128cbc_hs256.rb

@@ -2,6 +2,7 @@ require 'jwe/enc/aes_cbc_hs'
 
 module JWE
   module Enc
+    # AES CBC 128 + SHA256 message verification algorithm.
     class A128cbcHs256
       include AesCbcHs
 

data/lib/jwe/enc/a128gcm.rb

@@ -2,6 +2,7 @@ require 'jwe/enc/aes_gcm'
 
 module JWE
   module Enc
+    # AES GCM 128 algorithm.
     class A128gcm
       include AesGcm
 

data/lib/jwe/enc/a192cbc_hs384.rb

@@ -2,6 +2,7 @@ require 'jwe/enc/aes_cbc_hs'
 
 module JWE
   module Enc
+    # AES CBC 192 + SHA384 message verification algorithm.
     class A192cbcHs384
       include AesCbcHs
 

data/lib/jwe/enc/a192gcm.rb

@@ -2,6 +2,7 @@ require 'jwe/enc/aes_gcm'
 
 module JWE
   module Enc
+    # AES GCM 192 algorithm.
     class A192gcm
       include AesGcm
 

data/lib/jwe/enc/a256cbc_hs512.rb

@@ -2,6 +2,7 @@ require 'jwe/enc/aes_cbc_hs'
 
 module JWE
   module Enc
+    # AES CBC 256 + SHA512 message verification algorithm.
     class A256cbcHs512
       include AesCbcHs
 

data/lib/jwe/enc/a256gcm.rb

@@ -2,6 +2,7 @@ require 'jwe/enc/aes_gcm'
 
 module JWE
   module Enc
+    # AES GCM 256 algorithm.
     class A256gcm
       include AesGcm
 

data/lib/jwe/enc/aes_cbc_hs.rb

@@ -1,5 +1,8 @@
+require 'jwe/enc/cipher'
+
 module JWE
   module Enc
+    # Abstract AES in Block cipher mode, with message signature for different key sizes.
     module AesCbcHs
       attr_accessor :cek
       attr_accessor :iv
@@ -13,37 +16,41 @@ module JWE
       def encrypt(cleartext, authenticated_data)
         raise JWE::BadCEK.new("The supplied key is invalid. Required length: #{key_length}") if cek.length != key_length
 
-        cipher.encrypt
-        cipher.key = enc_key
-        cipher.iv = iv
+        ciphertext = cipher_round(:encrypt, iv, cleartext)
 
-        ciphertext = cipher.update(cleartext) + cipher.final
-        length = [authenticated_data.length * 8].pack('Q>') # 64bit big endian
-
-        to_sign = authenticated_data + iv + ciphertext + length
-        signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new(hash_name), mac_key, to_sign)
-        self.tag = signature[0...mac_key.length]
+        signature = generate_tag(authenticated_data, iv, ciphertext)
+        self.tag = signature
 
         ciphertext
       end
 
       def decrypt(ciphertext, authenticated_data)
-        raise JWE::BadCEK.new("The supplied key is invalid. Required length: #{key_length}") if cek.length != key_length
+        raise JWE::BadCEK, "The supplied key is invalid. Required length: #{key_length}" if cek.length != key_length
 
-        length = [authenticated_data.length * 8].pack('Q>') # 64bit big endian
-        to_sign = authenticated_data + iv + ciphertext + length
-        signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new(hash_name), mac_key, to_sign)
-        if signature[0...mac_key.length] != tag
-          raise JWE::InvalidData.new('Authentication tag verification failed')
+        signature = generate_tag(authenticated_data, iv, ciphertext)
+        if signature != tag
+          raise JWE::InvalidData, 'Authentication tag verification failed'
         end
 
-        cipher.decrypt
+        cipher_round(:decrypt, iv, ciphertext)
+      rescue OpenSSL::Cipher::CipherError
+        raise JWE::InvalidData, 'Invalid ciphertext or authentication tag'
+      end
+
+      def cipher_round(direction, iv, data)
+        cipher.send(direction)
         cipher.key = enc_key
         cipher.iv = iv
 
-        cipher.update(ciphertext) + cipher.final
-      rescue OpenSSL::Cipher::CipherError
-        raise JWE::InvalidData.new('Invalid ciphertext or authentication tag')
+        cipher.update(data) + cipher.final
+      end
+
+      def generate_tag(authenticated_data, iv, ciphertext)
+        length = [authenticated_data.length * 8].pack('Q>') # 64bit big endian
+        to_sign = authenticated_data + iv + ciphertext + length
+        signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new(hash_name), mac_key, to_sign)
+
+        signature[0...mac_key.length]
       end
 
       def iv
@@ -63,9 +70,7 @@ module JWE
       end
 
       def cipher
-        @cipher ||= OpenSSL::Cipher.new(cipher_name)
-      rescue RuntimeError
-        raise JWE::NotImplementedError.new("The version of OpenSSL linked to your Ruby does not support the cipher #{cipher_name}.")
+        @cipher ||= Cipher.for(cipher_name)
       end
 
       def tag
@@ -76,6 +81,7 @@ module JWE
         base.extend(ClassMethods)
       end
 
+      # Provides availability checks for Key Encryption algorithms
       module ClassMethods
         def available?
           new.cipher

data/lib/jwe/enc/aes_gcm.rb

@@ -1,5 +1,8 @@
+require 'jwe/enc/cipher'
+
 module JWE
   module Enc
+    # Abstract AES in Galois Counter mode for different key sizes.
     module AesGcm
       attr_accessor :cek
       attr_accessor :iv
@@ -11,13 +14,9 @@ module JWE
       end
 
       def encrypt(cleartext, authenticated_data)
-        raise JWE::BadCEK.new("The supplied key is too short. Required length: #{key_length}") if cek.length < key_length
-
-        cipher.encrypt
-        cipher.key = cek
-        cipher.iv = iv
-        cipher.auth_data = authenticated_data
+        raise JWE::BadCEK, "The supplied key is too short. Required length: #{key_length}" if cek.length < key_length
 
+        setup_cipher(:encrypt, authenticated_data)
         ciphertext = cipher.update(cleartext) + cipher.final
         self.tag = cipher.auth_tag
 
@@ -25,17 +24,20 @@ module JWE
       end
 
       def decrypt(ciphertext, authenticated_data)
-        raise JWE::BadCEK.new("The supplied key is too short. Required length: #{key_length}") if cek.length < key_length
-
-        cipher.decrypt
-        cipher.key = cek
-        cipher.iv = iv
-        cipher.auth_tag = tag
-        cipher.auth_data = authenticated_data
+        raise JWE::BadCEK, "The supplied key is too short. Required length: #{key_length}" if cek.length < key_length
 
+        setup_cipher(:decrypt, authenticated_data)
         cipher.update(ciphertext) + cipher.final
       rescue OpenSSL::Cipher::CipherError
-        raise JWE::InvalidData.new('Invalid ciphertext or authentication tag')
+        raise JWE::InvalidData, 'Invalid ciphertext or authentication tag'
+      end
+
+      def setup_cipher(direction, auth_data)
+        cipher.send(direction)
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.auth_tag = tag if direction == :decrypt
+        cipher.auth_data = auth_data
       end
 
       def iv
@@ -47,9 +49,7 @@ module JWE
       end
 
       def cipher
-        @cipher ||= OpenSSL::Cipher.new(cipher_name)
-      rescue RuntimeError
-        raise JWE::NotImplementedError.new("The version of OpenSSL linked to your Ruby does not support the cipher #{cipher_name}.")
+        @cipher ||= Cipher.for(cipher_name)
       end
 
       def tag
@@ -60,6 +60,7 @@ module JWE
         base.extend(ClassMethods)
       end
 
+      # Provides availability checks for Key Encryption algorithms
       module ClassMethods
         def available?
           new.cipher

data/lib/jwe/enc/cipher.rb

@@ -0,0 +1,14 @@
+module JWE
+  module Enc
+    # Helper to get OpenSSL cipher instance from a string.
+    module Cipher
+      class << self
+        def for(cipher_name)
+          OpenSSL::Cipher.new(cipher_name)
+        rescue RuntimeError
+          raise JWE::NotImplementedError.new("The version of OpenSSL linked to your Ruby does not support the cipher #{cipher_name}.")
+        end
+      end
+    end
+  end
+end

data/lib/jwe/serialization/compact.rb

@@ -1,5 +1,7 @@
 module JWE
+  # Serialization namespace.
   module Serialization
+    # The default and suggested way of serializing JWE messages.
     class Compact
       def self.encode(header, encrypted_cek, iv, ciphertext, tag)
         [header, encrypted_cek, iv, ciphertext, tag].map { |piece| JWE::Base64.jwe_encode(piece) }.join '.'
@@ -7,7 +9,7 @@ module JWE
 
       def self.decode(payload)
         parts = payload.split('.')
-        raise JWE::DecodeError.new('Not enaugh or too many segments') unless parts.length == 5
+        raise JWE::DecodeError.new('Not enough or too many segments') unless parts.length == 5
 
         parts.map do |part|
           JWE::Base64.jwe_decode(part)

data/lib/jwe/version.rb

@@ -1,3 +1,3 @@
 module JWE
-  VERSION = '0.3.0'.freeze
+  VERSION = '0.3.1'.freeze
 end

data/lib/jwe/zip.rb

@@ -1,12 +1,10 @@
 require 'jwe/zip/def'
 
 module JWE
+  # Message deflating algorithms namespace
   module Zip
     def self.for(zip)
-      klass = zip.gsub(/[-\+]/, '_').downcase.sub(/^[a-z\d]*/) { $&.capitalize }
-      klass.gsub!(/_([a-z\d]*)/i) { Regexp.last_match(1).capitalize }
-      const_get(klass)
-
+      const_get(JWE.param_to_class_name(zip))
     rescue NameError
       raise NotImplementedError.new("Unsupported zip type: #{zip}")
     end

data/lib/jwe/zip/def.rb

@@ -2,11 +2,11 @@ require 'zlib'
 
 module JWE
   module Zip
+    # Deflate algorithm.
     class Def
       def compress(payload)
         zlib = Zlib::Deflate.new(Zlib::DEFAULT_COMPRESSION, -Zlib::MAX_WBITS)
-        zlib.deflate(payload)
-        zlib.finish
+        zlib.deflate(payload, Zlib::FINISH)
       end
 
       # Was using RFC 1950 instead of 1951.

data/spec/jwe/enc_spec.rb

@@ -7,8 +7,8 @@ require 'jwe/enc/a256gcm'
 
 describe JWE::Enc do
   describe '.for' do
-    it 'returns a class for the specified enc' do
-      expect(JWE::Enc.for('A128GCM')).to eq JWE::Enc::A128gcm
+    it 'returns an instance for the specified enc' do
+      expect(JWE::Enc.for('A128GCM')).to be_a JWE::Enc::A128gcm
     end
 
     it 'raises an error for a not-implemented enc' do

data/spec/jwe/serialization_spec.rb

@@ -1,14 +1,14 @@
 describe JWE::Serialization::Compact do
   describe '#encode' do
     it 'returns components base64ed and joined with a dot' do
-      components = %w(a b c d e)
+      components = %w[a b c d e]
       expect(JWE::Serialization::Compact.encode(*components)).to eq 'YQ.Yg.Yw.ZA.ZQ'
     end
   end
 
   describe '#decode' do
     it 'returns an array with the 5 components' do
-      expect(JWE::Serialization::Compact.decode('YQ.Yg.Yw.ZA.ZQ')).to eq %w(a b c d e)
+      expect(JWE::Serialization::Compact.decode('YQ.Yg.Yw.ZA.ZQ')).to eq %w[a b c d e]
     end
 
     it 'raises an error when passed a badly formatted payload' do

data/spec/jwe/zip_spec.rb

@@ -13,10 +13,20 @@ describe JWE::Zip do
 end
 
 describe JWE::Zip::Def do
-  it 'deflates and inflates to original payload' do
-    deflate = JWE::Zip::Def.new
-    deflated = deflate.compress('hello world')
-    expect(deflate.decompress(deflated)).to eq 'hello world'
+  context 'with the orginal payload' do
+    it 'deflates and inflates to original payload' do
+      deflate = JWE::Zip::Def.new
+      deflated = deflate.compress('hello world')
+      expect(deflate.decompress(deflated)).to eq 'hello world'
+    end
+
+    it 'deflates and inflates a large payload' do
+      deflate = JWE::Zip::Def.new
+      chars = [*'0'..'9', *'A'..'Z', *'a'..'z']
+      payload = Array.new(1_000_000) { chars.sample }.join
+      deflated = deflate.compress(payload)
+      expect(deflate.decompress(deflated)).to eq payload
+    end
   end
 
   it 'can deflate an RFC 1950 compressed message' do

data/spec/jwe_spec.rb

@@ -29,6 +29,18 @@ describe JWE do
     end
   end
 
+  describe 'when using extra headers' do
+    it 'roundtrips' do
+      encrypted = JWE.encrypt(plaintext, rsa_key, kid: 'some-kid-1')
+      result = JWE.decrypt(encrypted, rsa_key)
+      header, = JWE::Serialization::Compact.decode(encrypted)
+      header = JSON.parse(header)
+
+      expect(header['kid']).to eq 'some-kid-1'
+      expect(result).to eq plaintext
+    end
+  end
+
   it 'raises when passed a bad alg' do
     expect { JWE.encrypt(plaintext, rsa_key, alg: 'TEST') }.to raise_error(ArgumentError)
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwe
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Francesco Boffa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-02 00:00:00.000000000 Z
+date: 2018-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard
 email: fra.boffa@gmail.com
 executables: []
@@ -87,6 +101,7 @@ files:
 - lib/jwe/enc/a256gcm.rb
 - lib/jwe/enc/aes_cbc_hs.rb
 - lib/jwe/enc/aes_gcm.rb
+- lib/jwe/enc/cipher.rb
 - lib/jwe/serialization/compact.rb
 - lib/jwe/version.rb
 - lib/jwe/zip.rb
@@ -119,7 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: JSON Web Encryption implementation in Ruby